chore: Use GH app instead of PAT

.github/workflows/cache-maven-dependencies.yaml

@@ -1,11 +1,12 @@
-name: "Cache Maven Dependencies"
+name: 'Cache Maven Dependencies'
 permissions:
   contents: read
+  actions: write
 
 on:
   workflow_dispatch:
   schedule:
-      - cron: '57 4 * * Sun'
+    - cron: '57 4 * * Sun'
 
 env:
   MAVEN_CACHE_REF: refs/heads/main
@@ -16,31 +17,31 @@ jobs:
   update-cache:
     runs-on: ubuntu-latest
     steps:
-      - name: "Checkout"
+      - name: 'Checkout'
         uses: actions/checkout@v6
         with:
           ref: ${{ env.MAVEN_CACHE_REF }}
 
-      - name: "Setup Java"
+      - name: 'Setup Java'
         uses: actions/setup-java@v5
         with:
-          distribution: "sapmachine"
+          distribution: 'sapmachine'
           java-version: 21
 
-      - name: "Download Dependencies"
+      - name: 'Download Dependencies'
         run: mvn -B dependency:go-offline
 
-      - name: "Delete Existing Caches"
+      - name: 'Delete Existing Caches'
         run: |
           CACHE_IDS=$(gh cache list --key "${{ env.MAVEN_CACHE_KEY }}" --ref "${{ env.MAVEN_CACHE_REF }}" --json id | jq -r '.[] | .id')
           for CACHE_ID in $CACHE_IDS; do
               echo "Deleting cache with ID: $CACHE_ID"
               gh cache delete "${CACHE_ID}"
           done
         env:
-          GH_TOKEN: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: "Cache Dependencies"
+      - name: 'Cache Dependencies'
         uses: actions/cache/save@v5
         with:
           path: ${{ env.MAVEN_CACHE_DIR }}

.github/workflows/dependabot-automerge.yaml

@@ -1,4 +1,4 @@
-name: "Dependabot Auto-Merge"
+name: 'Dependabot Auto-Merge'
 
 on:
   workflow_dispatch:
@@ -14,29 +14,38 @@ env:
 jobs:
   review-prs:
     runs-on: ubuntu-latest
-    permissions:
-      pull-requests: write
-      contents: write
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ secrets.SAP_AI_SDK_BOT_CLIENT_ID }}
+          private-key: ${{ secrets.SAP_AI_SDK_BOT_PRIVATE_KEY }}
+          owner: SAP
+          repositories: ai-sdk-java
+          permission-pull-requests: write
+
       - name: Checkout
         uses: actions/checkout@v6
 
       - name: Approve and Merge PRs
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
           PRS=$(gh pr list --app "dependabot" --state "open" --json number,title)
           PR_NUMBERS=
           while IFS= read -r GROUP; do
             if [[ -z "$GROUP" ]]; then
               continue
             fi
-          
+
             MATCHES=$(jq -r --arg group "$GROUP" '.[] | select(.title | contains($group)) | .number' <<< "$PRS")
             echo "[DEBUG] Found PRs for group '$GROUP': '$MATCHES'"
-          
+
             PR_NUMBERS="$MATCHES"$'\n'"$PR_NUMBERS"
           done <<< "${{ env.DEPENDABOT_GROUPS }}"
           echo "[DEBUG] Approving and Merging following PRs: '$PR_NUMBERS'"
-          
+
           while IFS= read -r PR_NUMBER; do
             if [[ -z "$PR_NUMBER" ]]; then
               continue
@@ -46,5 +55,3 @@ jobs:
             gh pr merge "$PR_NUMBER" --auto --squash
             gh pr review "$PR_NUMBER" --approve
           done <<< "$PR_NUMBERS"
-        env:
-          GH_TOKEN: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}

.github/workflows/fosstars-report.yml

@@ -1,4 +1,4 @@
-name: "Fosstars (Security)"
+name: 'Fosstars (Security)'
 on:
   workflow_dispatch:
   schedule:
@@ -13,53 +13,53 @@ env:
 
 jobs:
   create_fosstars_report:
-    name: "Security rating"
+    name: 'Security rating'
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      contents: write
       actions: write
     steps:
-      - name: "Checkout repository"
+      - name: 'Checkout repository'
         uses: actions/checkout@v6
 
-      - name: "Setup java"
+      - name: 'Setup java'
         uses: actions/setup-java@v5
         with:
-          distribution: "sapmachine"
+          distribution: 'sapmachine'
           java-version: ${{ env.JAVA_VERSION }}
           cache: 'maven'
 
-      - name: "Restore CVE Database"
+      - name: 'Restore CVE Database'
         uses: actions/cache/restore@v5
         with:
           path: ${{ env.CVE_CACHE_DIR }}
           key: ${{ env.CVE_CACHE_KEY }}
-         # fail-on-cache-miss: true
+          # fail-on-cache-miss: true
 
-      - name: "Build SDK"
+      - name: 'Build SDK'
         run: |
           MVN_ARGS="${{ env.MVN_MULTI_THREADED_ARGS }} clean install -DskipTests -DskipFormatting"
           mvn $MVN_ARGS
 
-      - name: "Create settings.xml"
+      - name: 'Create settings.xml'
         run: |
           echo '${{ secrets.OSS_INDEX_SETTINGS_XML }}' > settings.xml
 
-      - name: "CVE Scan"
+      - name: 'CVE Scan'
         env:
           NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
         run: >
           mvn -T1 --no-transfer-progress -s settings.xml
           --batch-mode org.owasp:dependency-check-maven:check org.owasp:dependency-check-maven:aggregate
 
-      - name: "Archive CVE Report"
+      - name: 'Archive CVE Report'
         uses: actions/upload-artifact@v7
         with:
           name: cve-report
           path: target/dependency-check-report.html
           retention-days: 7
 
-      - name: "Delete Old CVE Cache"
+      - name: 'Delete Old CVE Cache'
         run: |
           CACHE_IDS=$(gh cache list --key "${{ env.CVE_CACHE_KEY }}" --ref "${{ env.CVE_CACHE_REF }}" --json id | jq -r '.[] | .id')
           for CACHE_ID in $CACHE_IDS; do
@@ -69,20 +69,20 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: "Create Updated CVE Cache"
+      - name: 'Create Updated CVE Cache'
         uses: actions/cache/save@v5
         with:
           path: ${{ env.CVE_CACHE_DIR }}
           key: ${{ env.CVE_CACHE_KEY }}
 
       # This action changes the active branch!
-      - name: "Fosstars Rating"
+      - name: 'Fosstars Rating'
         uses: SAP/fosstars-rating-core-action@v1.14.0
         with:
           report-branch: fosstars-report
           token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: "Slack Notification"
+      - name: 'Slack Notification'
         if: failure()
         uses: slackapi/slack-github-action@v2.1.1
         with:

.github/workflows/perform-release.yaml

@@ -1,13 +1,13 @@
-name: "Perform Release"
+name: 'Perform Release'
 
 on:
   workflow_dispatch:
     inputs:
       release_pr_number:
-        description: "The PR number of the release PR"
+        description: 'The PR number of the release PR'
         required: true
       skip-pr-merge:
-        description: "Whether to skip merging the PRs"
+        description: 'Whether to skip merging the PRs'
         required: false
         default: false
         type: boolean
@@ -19,38 +19,47 @@ env:
 
 jobs:
   prerequisites:
-    name: "Prerequisites"
+    name: 'Prerequisites'
     outputs:
       code-branch: ${{ steps.determine-branch-names.outputs.CODE_BRANCH_NAME }}
       release-notes-branch: ${{ steps.determine-branch-names.outputs.RELEASE_NOTES_BRANCH_NAME }}
       release-tag: ${{ steps.determine-branch-names.outputs.RELEASE_TAG }}
       release-commit: ${{ steps.determine-branch-names.outputs.RELEASE_COMMIT }}
-    permissions: write-all # contents and push are needed to see the draft release
     runs-on: ubuntu-latest
     steps:
-      - name: "Determine Branch Names"
+      - name: 'Determine Branch Names'
         id: determine-branch-names
         run: |
           CODE_BRANCH_NAME=$(gh pr view ${{github.event.inputs.release_pr_number}} --repo ${{github.repository}} --json headRefName --jq '.headRefName')
           RELEASE_VERSION=$(echo $CODE_BRANCH_NAME | cut -d '-' -f2)
           RELEASE_TAG=rel/$RELEASE_VERSION
           RELEASE_COMMIT=$(gh release view $RELEASE_TAG --repo ${{github.repository}} --json targetCommitish --jq '.targetCommitish')
           RELEASE_NOTES_BRANCH_NAME=java/release-notes-$RELEASE_VERSION
-          
+
           echo "CODE_BRANCH_NAME=$CODE_BRANCH_NAME" >> $GITHUB_OUTPUT
           echo "RELEASE_VERSION=$RELEASE_VERSION" >> $GITHUB_OUTPUT
           echo "RELEASE_TAG=$RELEASE_TAG" >> $GITHUB_OUTPUT
           echo "RELEASE_COMMIT=$RELEASE_COMMIT" >> $GITHUB_OUTPUT
           echo "RELEASE_NOTES_BRANCH_NAME=$RELEASE_NOTES_BRANCH_NAME" >> $GITHUB_OUTPUT
-          
+
           echo -e "[DEBUG] Current GITHUB_OUTPUT:\n$(cat $GITHUB_OUTPUT)"
         env:
           GH_TOKEN: ${{ github.token }}
 
-      - name: "Checkout Repository"
+      - name: 'Generate GitHub App token'
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ secrets.SAP_AI_SDK_BOT_CLIENT_ID }}
+          private-key: ${{ secrets.SAP_AI_SDK_BOT_PRIVATE_KEY }}
+          owner: SAP
+          repositories: ai-sdk
+          permission-pull-requests: read
+
+      - name: 'Checkout Repository'
         uses: actions/checkout@v6
 
-      - name: "Check Whether Code PR Can Be Merged"
+      - name: 'Check Whether Code PR Can Be Merged'
         if: ${{ inputs.skip-pr-merge != 'true' }}
         uses: ./.github/actions/pr-is-mergeable
         with:
@@ -61,40 +70,52 @@ jobs:
               \"dependabot merger\": [] 
             }
 
-      - name: "Check Code Release Commit Continuous Integration"
+      - name: 'Check Code Release Commit Continuous Integration'
         if: ${{ inputs.skip-pr-merge != 'true' }}
         uses: ./.github/actions/workflow-succeeded
         with:
-          workflow: "Continuous Integration"
+          workflow: 'Continuous Integration'
           sha: ${{ steps.determine-branch-names.outputs.RELEASE_COMMIT }}
 
-      - name: "Check Whether Release Notes PR Can Be Merged"
+      - name: 'Check Whether Release Notes PR Can Be Merged'
         if: ${{ inputs.skip-pr-merge != 'true' }}
         uses: ./.github/actions/pr-is-mergeable
         with:
           pr-ref: ${{ steps.determine-branch-names.outputs.RELEASE_NOTES_BRANCH_NAME }}
           repo: ${{ env.DOCS_REPO }}
-          token: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
+          token: ${{ steps.app-token.outputs.token }}
           excluded-check-runs: |
             {
               \"Build Cloud SDK Documentation\": [\"dependabot\"]
             }
 
   release:
-    name: "Release"
-    needs: [ prerequisites ]
+    name: 'Release'
+    needs: [prerequisites]
     runs-on: ubuntu-latest
     permissions:
-      contents: write # needed to modify the release draft
-      pull-requests: write # needed to merge the release PR
+      contents: read
     steps:
-      - name: "Setup java"
+      - name: 'Generate GitHub App token'
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ secrets.SAP_AI_SDK_BOT_CLIENT_ID }}
+          private-key: ${{ secrets.SAP_AI_SDK_BOT_PRIVATE_KEY }}
+          owner: SAP
+          repositories: |
+            ai-sdk-java
+            ai-sdk
+          permission-contents: write # needed to modify the release draft
+          permission-pull-requests: write # needed to merge the release PR
+
+      - name: 'Setup java'
         uses: actions/setup-java@v5
         with:
-          distribution: "sapmachine"
+          distribution: 'sapmachine'
           java-version: ${{ env.JAVA_VERSION }}
 
-      - name: "Download Release Asset"
+      - name: 'Download Release Asset'
         id: download-asset
         run: |
           gh release download ${{ needs.prerequisites.outputs.release-tag }} --dir ./ --repo "${{ github.repository }}"
@@ -103,36 +124,36 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: "Import GPG Key"
+      - name: 'Import GPG Key'
         run: |
           echo "${{ secrets.PGP_PRIVATE_KEY }}" | gpg --batch --passphrase "$PASSPHRASE" --import
         env:
           PASSPHRASE: ${{ secrets.PGP_PASSPHRASE }}
 
-      - name: "Create settings.xml"
+      - name: 'Create settings.xml'
         run: |
           echo '${{ secrets.CENTRAL_SONATYPE_SETTINGS_XML }}' > settings.xml
 
-      - name: "Deploy"
+      - name: 'Deploy'
         run: |
           MVN_ARGS="${{ env.MVN_CLI_ARGS }} -Drelease -s settings.xml"
           mvn deploy $MVN_ARGS
         env:
           MAVEN_GPG_PASSPHRASE: ${{ secrets.PGP_PASSPHRASE }}
 
-      - name: "Merge Code PR"
+      - name: 'Merge Code PR'
         if: ${{ inputs.skip-pr-merge != 'true' }}
         run: gh pr merge --squash "${{ needs.prerequisites.outputs.code-branch }}" --delete-branch --repo "${{ github.repository }}"
         env:
-          GH_TOKEN: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
 
-      - name: "Publish the Draft Release"
+      - name: 'Publish the Draft Release'
         run: gh release edit ${{ needs.prerequisites.outputs.release-tag }} --draft=false --repo "${{ github.repository }}"
         env:
-          GH_TOKEN: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
 
-      - name: "Merge Release Notes PR"
+      - name: 'Merge Release Notes PR'
         if: ${{ inputs.skip-pr-merge != 'true' }}
         run: gh pr merge --squash "${{ needs.prerequisites.outputs.release-notes-branch }}" --delete-branch --repo "${{ env.DOCS_REPO }}"
         env:
-          GH_TOKEN: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}